PRIVACY POLICY

AutoThink Property Data Service

Last Updated: November 17, 2025

Effective Date: November 17, 2025

INTRODUCTION

AutoThink AI ("AutoThink," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our property data extraction service (the "Service") at https://ownerretriever.autothinkai.net.

This Privacy Policy applies to all users of our Service and should be read together with our Terms and Conditions and Data Processing Agreement.

Key Information:

• Data Controller: AutoThink AI, Portugal
• Contact: support@autothinkai.net or legal@autothinkai.net
• Governing Law: Laws of Portugal and GDPR (EU Regulation 2016/679)

TABLE OF CONTENTS

1. What Personal Data We Collect

2. How We Collect Your Personal Data

3. Why We Process Your Personal Data (Legal Basis)

4. How We Use Your Personal Data

5. Who We Share Your Personal Data With

6. International Data Transfers

7. How Long We Keep Your Personal Data

8. Cookies and Tracking Technologies

9. Your Rights Under GDPR

10. Data Security

11. Children's Privacy

12. Third-Party Links and Services

13. Changes to This Privacy Policy

14. How to Contact Us

15. How to File a Complaint

1. WHAT PERSONAL DATA WE COLLECT

We collect and process the following categories of personal data:

1.1 Account and Registration Data

1.2 Payment and Billing Data

Important: We do NOT store your full credit card numbers. Payment processing is handled securely by Stripe, our third-party payment processor. We only store the last 4 digits of your card and expiration date for identification purposes.

1.3 Usage and Technical Data

1.4 Communications Data

1.5 Data You Extract Using Our Service

Important Clarification: When you use our Service to extract property owner data from Idealista:

• We are the Data Processor for this extracted data
• You are the Data Controller for this extracted data
• We process this data solely on your instructions to provide the Service
• We do NOT use extracted data for any other purposes
• We do NOT sell, rent, or share extracted data with third parties
• Your obligations as Data Controller are detailed in our Terms and Conditions

Extracted Data May Include:

• Property owner names
• Property addresses
• Phone numbers (if requested and available)
• Other publicly available contact information from Idealista

2. HOW WE COLLECT YOUR PERSONAL DATA

We collect your personal data through the following methods:

2.1 Directly From You

When you:

• Create an account or register for the Service
• Subscribe to a plan or make a payment
• Update your account information or settings
• Contact us for customer support
• Fill out forms on our website
• Participate in surveys or provide feedback
• Communicate with us via email or chat

2.2 Automatically Through Technology

When you:

• Access or use our website and Service
• Log into your account
• Navigate through our platform
• Use our API

We automatically collect:

• IP addresses and device identifiers
• Browser and device information
• Usage patterns and service interactions
• Cookies and similar tracking technologies (see Section 8)

2.3 From Third-Party Sources

We may receive personal data about you from:

Stripe (Payment Processor):

• Payment transaction data
• Payment method verification
• Billing information
• Transaction status

Scraperium (Third-Party API Provider):

• Service availability data
• API usage logs
• Error reports

Google OAuth (if you sign up via Google):

• Your Google account email address
• Your Google account name
• Profile information you authorize

3. WHY WE PROCESS YOUR PERSONAL DATA (LEGAL BASIS)

Under GDPR, we must have a valid legal basis to process your personal data. We rely on the following legal bases:

3.1 Contractual Necessity (GDPR Article 6(1)(b))

We process your personal data to:

• Create and manage your account
• Provide access to the Service
• Process payments and manage subscriptions
• Allocate and track credits
• Enable data extraction functionality
• Provide customer support
• Enforce our Terms and Conditions

Without this data, we cannot provide the Service to you.

3.2 Legal Obligation (GDPR Article 6(1)(c))

We process your personal data to:

• Comply with tax and accounting laws (7-year retention of financial records)
• Respond to lawful requests from law enforcement or regulatory authorities
• Comply with Portuguese and EU data protection laws
• Maintain billing records as required by law
• Process VAT and other tax obligations

3.3 Legitimate Interests (GDPR Article 6(1)(f))

We process your personal data based on our legitimate business interests to:

• Prevent fraud, abuse, and security threats
• Improve and optimize our Service
• Conduct analytics to understand user behavior
• Send important service announcements
• Investigate and resolve disputes
• Protect our legal rights and interests
• Ensure network and information security

We have assessed that these interests do not override your fundamental rights and freedoms.

3.4 Consent (GDPR Article 6(1)(a))

We process your personal data based on your explicit consent for:

• Marketing communications (you can opt out anytime)
• Optional features (e.g., analytics cookies)
• Surveys and feedback requests
• Newsletter subscriptions

You can withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. HOW WE USE YOUR PERSONAL DATA

We use your personal data for the following specific purposes:

4.1 Service Provision

• Creating and maintaining your user account
• Authenticating your identity when you log in
• Processing your payments and managing subscriptions
• Allocating credits to your account every 28 days
• Enabling you to extract property data from Idealista
• Providing access to your dashboard and account features
• Tracking credit usage and enforcing usage limits
• Generating invoices and billing statements

4.2 Customer Support

• Responding to your inquiries and support requests
• Troubleshooting technical issues
• Providing guidance on using the Service
• Resolving disputes or complaints
• Following up on support tickets

4.3 Security and Fraud Prevention

• Detecting and preventing fraudulent transactions
• Identifying suspicious account activity
• Protecting against unauthorized access
• Monitoring for security threats and vulnerabilities
• Enforcing our Terms and Conditions
• Investigating violations of our Acceptable Use Policy

4.4 Service Improvement and Analytics

• Analyzing usage patterns and trends
• Understanding how users interact with our Service
• Identifying areas for improvement
• Testing new features and functionality
• Conducting internal research and development
• Optimizing performance and user experience

4.5 Communications

• Sending transaction confirmations and receipts
• Notifying you of account changes or subscription renewals
• Sending important service announcements (cannot opt out)
• Providing updates on new features or changes to the Service
• Sending marketing communications (with your consent, opt out anytime)
• Requesting feedback or conducting surveys (with your consent)

4.6 Legal and Compliance

• Complying with legal obligations and regulations
• Responding to legal requests and court orders
• Protecting our legal rights in disputes
• Enforcing our contracts and policies
• Maintaining records as required by law

5. WHO WE SHARE YOUR PERSONAL DATA WITH

We do NOT sell, rent, or trade your personal data. We only share your personal data with the following categories of recipients for specific purposes:

5.1 Third-Party Service Providers (Sub-Processors)

We share your personal data with trusted third-party service providers who process data on our behalf:

Stripe (Payment Processing)

• Data Shared: Name, email, billing address, payment method details
• Purpose: Payment processing, subscription management, fraud prevention
• Location: United States (Stripe uses Standard Contractual Clauses for GDPR compliance)
• Data Processing Agreement: Yes, Stripe has a DPA in place
• Privacy Policy: https://stripe.com/privacy

Scraperium via RapidAPI (Data Extraction API)

• Data Shared: API requests, extraction parameters (NO payment or account data)
• Purpose: Providing data extraction functionality from Idealista
• Location: Check Scraperium/RapidAPI terms
• Data Processing Agreement: Covered under RapidAPI Terms
• Privacy Policy: https://rapidapi.com/privacy

Railway (Hosting Provider)

• Data Shared: All data stored on our servers (encrypted)
• Purpose: Infrastructure hosting, database management, server operations
• Location: Various data center locations
• Security: Industry-standard security measures
• Privacy Policy: https://railway.app/legal/privacy

Google OAuth (If Applicable)

• Data Shared: Google account email, name
• Purpose: Alternative login method via Google Sign-In
• Location: United States (Google uses Standard Contractual Clauses)
• Privacy Policy: https://policies.google.com/privacy

All third-party service providers:

• Are contractually obligated to protect your data
• Process data only for specified purposes
• Comply with GDPR and applicable data protection laws
• Have appropriate technical and organizational security measures in place

5.2 Legal Authorities

We may share your personal data with:

• Law enforcement agencies
• Regulatory authorities
• Courts and tribunals
• Tax authorities

When required to:

• Comply with legal obligations
• Respond to valid legal requests
• Protect our rights and property
• Investigate fraud or security issues
• Enforce our Terms and Conditions

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. You will be notified via email and/or prominent notice on our website of any change in ownership or use of your personal data.

5.4 With Your Consent

We may share your personal data with third parties when you explicitly consent to such sharing for a specific purpose.

6. INTERNATIONAL DATA TRANSFERS

Our Primary Operations: AutoThink AI is based in Portugal (European Economic Area).

Data Storage: Your personal data is primarily stored on servers within or with GDPR-compliant safeguards.

Third-Party Services Outside EEA:

Some of our service providers are located outside the EEA (e.g., Stripe in the United States). When we transfer your personal data outside the EEA, we ensure adequate protection through:

6.1 Adequate Safeguards

• Standard Contractual Clauses (SCCs): EU-approved contractual terms that ensure GDPR-level protection
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• Binding Corporate Rules: Internal policies ensuring GDPR compliance
• Vendor Compliance: All vendors must demonstrate GDPR compliance

6.2 Your Rights Regarding International Transfers

You have the right to:

• Request information about international data transfers
• Obtain a copy of the safeguards in place (e.g., SCCs)
• Object to transfers if adequate protection is not ensured

To request information or copies of safeguards, contact: legal@autothinkai.net

7. HOW LONG WE KEEP YOUR PERSONAL DATA

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

7.1 Retention Periods by Data Type

7.2 Account Deletion

When you delete your account:

• Account data is immediately deactivated
• Data is permanently deleted within 30 days
• Billing records are retained for 7 years (legal requirement)
• Usage logs are retained for 90 days
• Backups containing your data are overwritten within 90 days

7.3 Legal Holds

We may retain data longer if required to:

• Comply with legal obligations
• Resolve disputes or enforce agreements
• Protect against legal claims
• Respond to legal investigations

8. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to enhance your experience, analyze usage, and improve our Service.

8.1 What Are Cookies?

Cookies are small text files stored on your device that help websites remember information about your visit.

8.2 Types of Cookies We Use

Strictly Necessary Cookies (Cannot be disabled)

• Purpose: Essential for the Service to function
• Examples: Session cookies, authentication tokens, security cookies
• Legal Basis: Legitimate interest (necessary for service provision)
• Duration: Session or up to 30 days

Functional Cookies (Can be disabled)

• Purpose: Remember your preferences and settings
• Examples: Language preferences, dashboard layout, remember login
• Legal Basis: Consent
• Duration: Up to 1 year

Analytics Cookies (Can be disabled)

• Purpose: Understand how users interact with our Service
• Examples: Page views, navigation paths, feature usage, error tracking
• Legal Basis: Consent
• Duration: Up to 2 years
• Third Party: May use Google Analytics (anonymized IP)

Marketing Cookies (Can be disabled)

• Purpose: Deliver relevant advertisements (if applicable)
• Legal Basis: Consent
• Duration: Up to 1 year

8.3 Managing Cookies

In Your Browser:

• Chrome: Settings > Privacy and Security > Cookies
• Firefox: Options > Privacy & Security
• Safari: Preferences > Privacy
• Edge: Settings > Privacy

Important: Disabling necessary cookies may affect Service functionality.

Opt Out of Analytics: Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout

8.4 Do Not Track (DNT)

Some browsers have a "Do Not Track" feature. We currently do not respond to DNT signals, as there is no universal standard. You can control cookies through your browser settings.

9. YOUR RIGHTS UNDER GDPR

As a data subject in the European Economic Area, you have the following rights regarding your personal data:

9.1 Right to Access (Article 15)

You have the right to request:

• Confirmation that we process your personal data
• Access to your personal data
• A copy of your personal data
• Information about how we use your data

How to exercise: Email support@autothinkai.net with subject: "Data Access Request"

Response time: Within 30 days

9.2 Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data

How to exercise: Update data in your account dashboard OR email support@autothinkai.net

Response time: Within 30 days

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes collected
• You withdraw consent (where processing is based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required to comply with a legal obligation

Limitations: We may retain data if legally required (e.g., billing records for tax purposes)

How to exercise: Delete account through dashboard OR email support@autothinkai.net

Response time: Within 30 days

9.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data when:

• You contest the accuracy of the data
• Processing is unlawful but you don't want erasure
• We no longer need the data, but you need it for legal claims
• You have objected to processing and verification is pending

How to exercise: Email support@autothinkai.net with subject: "Restrict Processing Request"

Response time: Within 30 days

9.5 Right to Data Portability (Article 20)

You have the right to:

• Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
• Transmit your data to another controller

Applies when: Processing is based on consent or contract AND processing is carried out by automated means

How to exercise: Email support@autothinkai.net with subject: "Data Portability Request"

Response time: Within 30 days

9.6 Right to Object (Article 21)

You have the right to object to processing of your personal data when:

• Processing is based on legitimate interests
• Processing is for direct marketing purposes (absolute right)
• Processing is for scientific, historical, or statistical purposes

How to exercise:

• Marketing emails: Click "Unsubscribe" link
• Other objections: Email support@autothinkai.net

Response time: Within 30 days

9.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you.

Our Position: We do NOT use automated decision-making or profiling for any decisions that significantly affect you.

9.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

How to exercise: Click "Unsubscribe" in marketing emails OR email support@autothinkai.net

Important: Withdrawal does not affect the lawfulness of processing before withdrawal.

9.9 How to Exercise Your Rights

Email: support@autothinkai.net or legal@autothinkai.net

Include:

• Your full name
• Email address associated with your account
• Specific right you wish to exercise
• Any additional information to help us locate your data

Identity Verification: We may require proof of identity to protect your data.

No Fee: Exercising your rights is free, unless requests are manifestly unfounded or excessive.

Response Time: Within 30 days (up to 60 days for complex requests with notice).

10. DATA SECURITY

We implement appropriate technical and organizational measures to protect your personal data.

10.1 Technical Security Measures

Encryption:

• In Transit: TLS 1.3 (SSL/HTTPS) for all data transmission
• At Rest: AES-256 encryption for stored data

Access Controls:

• Role-Based Access Control (RBAC)
• Multi-factor authentication for administrative access
• Principle of least privilege

Authentication & Password Security:

• Passwords hashed using bcrypt
• Never stored in plain text
• Automatic session timeout
• Brute-force protection

Network & Application Security:

• Firewalls and DDoS protection
• Regular security patches
• Intrusion detection systems
• Secure coding practices
• Input validation and CSRF protection

10.2 Organizational Security Measures

• Employee training and confidentiality agreements
• Incident response plan
• Vendor due diligence and DPAs
• Physical security at data centers
• Automated daily backups (encrypted)

10.3 Limitations

No system is 100% secure. You also play a role:

Your Responsibilities:

• Use strong, unique passwords
• Never share login credentials
• Log out on shared devices
• Report suspicious activity

10.4 Data Breach Notification

In the event of a breach:

• We will notify you within 72 hours of discovery
• We will inform you of the nature of the breach
• We will provide guidance on protective steps
• We will notify the relevant supervisory authority

Report security concerns: security@autothinkai.net

11. CHILDREN'S PRIVACY

Our Service is NOT intended for children under 18.

We do NOT knowingly collect personal data from children under 18.

If we discover we have collected data from a child under 18:

• We will delete that data immediately
• We will terminate the account

If you believe we have collected data from a child: Contact support@autothinkai.net

12. THIRD-PARTY LINKS AND SERVICES

12.1 Third-Party Websites

Our Service may contain links to third-party websites (e.g., Idealista, Stripe).

Important:

• We are NOT responsible for third-party privacy practices
• This Privacy Policy does NOT apply to third-party sites
• Read their privacy policies before providing data

Third-Party Policies:

• Idealista: https://www.idealista.com/info/privacidad
• Stripe: https://stripe.com/privacy
• RapidAPI: https://rapidapi.com/privacy

12.2 Idealista Data

• We extract publicly available data from Idealista using Scraperium's API
• We do NOT own or control Idealista's data
• You are responsible for how you use extracted data (see Terms)

13. CHANGES TO THIS PRIVACY POLICY

13.1 Updates

We may update this Privacy Policy to reflect:

• Changes to our practices
• Changes in laws
• New features or services

13.2 Notification of Changes

Material Changes:

• Email notification 30 days before effective date
• Prominent website notice
• Updated "Last Updated" date

Non-Material Changes:

• Updated policy and date
• Continued use constitutes acceptance

Current version: https://ownerretriever.autothinkai.net/privacy

14. HOW TO CONTACT US

AutoThink AI

General Inquiries & Support:

Email: support@autothinkai.net

Response: Within 48 business hours

Data Protection & Legal:

Email: legal@autothinkai.net

Response: Within 10 business days

Business Address:

Portugal

Website:

https://ownerretriever.autothinkai.net

15. HOW TO FILE A COMPLAINT

15.1 Contact Us First

Email: legal@autothinkai.net

15.2 Supervisory Authority

You have the right to lodge a complaint with a data protection authority.

Portuguese Supervisory Authority:

Comissão Nacional de Proteção de Dados (CNPD)

Address: Av. D. Carlos I, 134, 1º, 1200-651 Lisboa, Portugal

Phone: +351 21 392 84 00

Email: geral@cnpd.pt

Website: https://www.cnpd.pt

Other EU Authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

GDPR COMPLIANCE SUMMARY

This Privacy Policy complies with GDPR requirements, including:

✓ Transparency (Article 12)

✓ Information Obligations (Articles 13 & 14)

✓ Lawful Basis (Article 6)

✓ Data Subject Rights (Articles 15-22)

✓ Data Security (Article 32)

✓ Breach Notification (Articles 33 & 34)

✓ International Transfers (Articles 44-50)

✓ Accountability (Article 5(2))

By using our Service, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Last Updated: November 17, 2025

Version: 1.0

END OF PRIVACY POLICY